tcpreplay/docs/web/man/tcpprep.html

<!--#exec cmd="header tcpprep" -->
<ul>
</ul><H2>NAME </H2><ul>

tcpprep - Create a tcpreplay cache cache file from a pcap file.

</ul><H2>SYNOPSIS </H2><ul>

<b>tcpprep</b> 
[<b>-<i>flag</i></b> [<i>value</i>]]... [<b>--<i>opt-name</i></b> [[=| ]<i>value</i>]]...

<p>
All arguments must be options.

<p>
tcpprep is a <i>pcap(3)</i> file pre-processor which creates a cache
file which provides "rules" for <i>tcprewrite(1)</i> and <i>tcpreplay(1)</i>
on how to process and send packets.

</ul><H2>DESCRIPTION </H2><ul>

This manual page documents, briefly, the <b>tcpprep</b> command.
The basic operation of tcpreplay is to resend all packets from the
input file(s) out a single file.  Tcpprep processes a pcap file and 
applies a set of user-specified rules to create a cache file which 
tells tcpreplay wether or not to send each packet and which interface the
packet should be sent out of.

</ul><H2>OPTIONS </H2><ul>

<p><dl compact><dt><b>-d</b> <i>number</i>, <b>--dbug</b>=<b><i>number</i></b>
<dd>Enable debugging output.
This option may appear up to 1 times.
This option takes an integer number as its argument.
The value of <i>number</i> is constrained to being:
<pre>
in the range  0 through 5
<br></pre>
The default <i>number</i> for this option is:
</dl><br>
 0

<p>
If configured with --enable-debug, then you can specify a verbosity 
level for debugging output.  Higher numbers increase verbosity.
<p><dl compact><dt><b>-a</b> <i>string</i>, <b>--auto</b>=<b><i>string</i></b>
<dd>Auto-split mode.
This option may appear up to 1 times.
This option must not appear in combination with any of the following options:
cidr, port, regex, mac.
</dl>
<p>
Tcpprep will try to automatically determine the primary function of hosts
based on the traffic captured and classify each host as client or server.
In order to do so, you must provide a hint to tcpprep as to how to search
for clients and servers.  Valid hints are:

<p>
<p>
<b>bridge</b>
Bridge mode processes each packet to try to determine if the sender is a 
client or server.  Once all the packets are processed, the results are weighed
according to the server/client ratio (<b>--ratio</b>) and systems are assigned an
interface.  If tcpprep is unable to determine what role a system plays, tcpprep
will abort.

<p>
<b>router</b>
Router mode works just like bridge mode, except that after weighing is done, 
systems which are undetermined are considered a server if they fall inside a 
network known to contain other servers.  Router has a greater chance of
successfully splitting clients and servers but is not 100% foolproof.

<p>
<b>client</b>
Client mode works just like bridge mode, except that unclassified systems are
treated as clients.  Client mode should always complete successfully.

<p>
<b>server</b>
Server mode works just like bridge mode, except that unclassified systems are
treated as servers.  Server mode should always complete successfully.
<br>
<p><dl compact><dt><b>-c</b> <i>string</i>, <b>--cidr</b>=<b><i>string</i></b>
<dd>CIDR-split mode.
This option may appear up to 1 times.
This option must not appear in combination with any of the following options:
auto, port, regex, mac.
</dl>
<p>
Specify a comma delimited list of CIDR netblocks to match against
the source IP of each packet.  Packets matching any of the CIDR's
are classified as servers.
<p><dl compact><dt><b>-r</b> <i>string</i>, <b>--regex</b>=<b><i>string</i></b>
<dd>Regex-split mode.
This option may appear up to 1 times.
This option must not appear in combination with any of the following options:
auto, port, cidr, mac.
</dl>
<p>
Specify a regular expression to match against the source IP of each
packet.  Packets matching the regex are classified as servers.
<p><dl compact><dt><b>-p</b>, <b>--port</b>
<dd>Port-split mode.
This option may appear up to 1 times.
This option must not appear in combination with any of the following options:
auto, regex, cidr, mac.
</dl>
<p>
Specifies that TCP and UDP traffic should be classified as client
or server based upon the destination port of the header.
<p><dl compact><dt><b>-e</b> <i>string</i>, <b>--mac</b>=<b><i>string</i></b>
<dd>Source MAC split mode.
This option may appear up to 1 times.
This option must not appear in combination with any of the following options:
auto, regex, cidr, port.
</dl>
<p>
Specify a list of MAC addresses to match against the source MAC
of each packet.  Packets matching one of the values are classified
as servers.	
<p><dl compact><dt><b>-C</b> <i>string</i>, <b>--comment</b>=<b><i>string</i></b>
<dd>Embeded cache file comment.
This option may appear up to 1 times.
</dl>
<p>
Specify a comment to be imbedded within the output cache file and later
viewed.
<p><dl compact><dt><b>--no-arg-comment</b>
<dd>Do not embed any cache file comment.
This option may appear up to 1 times.
</dl>
<p>
By default, tcpprep includes the arguments passed on the command line
in the cache file comment (in addition to any user specified --comment).
If for some reason you do not wish to include this, specify this option.
<p><dl compact><dt><b>-x</b> <i>string</i>, <b>--include</b>=<b><i>string</i></b>
<dd>Include only packets matching rule.
This option may appear up to 1 times.
This option must not appear in combination with any of the following options:
exclude.
</dl>
<p>
Override default of sending all packets stored in the capture file and only
send packets which match the provided rule.  Rules can be one of:

<p>
<p>
<i>S:&lt;CIDR1&gt;,... </i>
- Source IP must match specified CIDR(s)

<p>
<i>D:&lt;CIDR1&gt;,... </i>
- Destination IP must match specified CIDR(s)

<p>
<i>B:&lt;CIDR1&gt;,... </i>
- Both source and destination IP must match specified CIDR(s)

<p>
<i>E:&lt;CIDR1&gt;,... </i>
- Either IP must match specified CIDR(s)

<p>
<i>P:&lt;LIST&gt;      </i>
- Must be one of the listed packets where the list
corresponds to the packet number in the capture file.
<pre>
    -x P:1-5,9,15,72-
<br></pre>
would send packets 1 thru 5, the 9th and 15th packet, and packets 72 until the
end of the file

<p>
<i>F:'&lt;bpf&gt;'</i>
- BPF filter.  See the <i>tcpdump(8)</i> man page for syntax.
<br>
<p><dl compact><dt><b>-X</b> <i>string</i>, <b>--exclude</b>=<b><i>string</i></b>
<dd>Exclude any packet matching this rule.
This option may appear up to 1 times.
This option must not appear in combination with any of the following options:
include.
</dl>
<p>
Override default of sending all packets stored in the capture file and only
send packets which do not match the provided rule.  Rules can be one of:

<p>
<p>
<i>S:&lt;CIDR1&gt;,... </i>
- Source IP must not match specified CIDR(s)

<p>
<i>D:&lt;CIDR1&gt;,... </i>
- Destination IP must not match specified CIDR(s)

<p>
<i>B:&lt;CIDR1&gt;,... </i>
- Both source and destination IP must not match specified CIDR(s)

<p>
<i>E:&lt;CIDR1&gt;,... </i>
- Either IP must not match specified CIDR(s)

<p>
<i>P:&lt;LIST&gt;      </i>
- Must not be one of the listed packets where the list
corresponds to the packet number in the capture file.
<pre>
    -x P:1-5,9,15,72-
<br></pre>
would drop packets 1 thru 5, the 9th and 15th packet, and packets 72 until the
end of the file
<br>
<p><dl compact><dt><b>-o</b> <i>string</i>, <b>--cachefile</b>=<b><i>string</i></b>
<dd>Output cache file.
This option may appear up to 1 times.
</dl>
<p>

<p><p><dl compact><dt><b>-i</b> <i>string</i>, <b>--pcap</b>=<b><i>string</i></b>
<dd>Input pcap file to process.
This option may appear up to 1 times.
</dl>
<p>

<p><p><dl compact><dt><b>-P</b> <i>string</i>, <b>--print-comment</b>=<b><i>string</i></b>
<dd>Print embedded comment in the specified cache file.
</dl>
<p>

<p><p><dl compact><dt><b>-I</b> <i>string</i>, <b>--print-info</b>=<b><i>string</i></b>
<dd>Print basic info from the specified cache file.
</dl>
<p>

<p><p><dl compact><dt><b>-S</b> <i>string</i>, <b>--print-stats</b>=<b><i>string</i></b>
<dd>Print statistical information about the specified cache file.
</dl>
<p>

<p><p><dl compact><dt><b>-s</b> <i>string</i>, <b>--services</b>=<b><i>string</i></b>
<dd>Load services file for server ports.
</dl>
<p>
This option has not been fully documented.
<p><dl compact><dt><b>-N</b>, <b>--nonip</b>
<dd>Send non-IP traffic out server interface.
</dl>
<p>
By default, non-IP traffic which can not be classified as client
or server is classified as "client".  Specifiying <b>--nonip</b>
will reclassify non-IP traffic as "server".
<p><dl compact><dt><b>-R</b> <i>string</i>, <b>--ratio</b>=<b><i>string</i></b>
<dd>Ratio of client to server packets.
This option may appear up to 1 times.
This option must appear in combination with the following options:
auto.
</dl>
<p>
Since a given host may have both client and server traffic being sent
to/from it, tcpprep uses a ratio to weigh these packets.  If you would
like to override the default of 2:1 server to client packets required for
a host to be classified as a server, specify it as a floating point value.
<p><dl compact><dt><b>-m</b> <i>number</i>, <b>--minmask</b>=<b><i>number</i></b>
<dd>Minimum network mask length in auto mode.
This option may appear up to 1 times.
This option must appear in combination with the following options:
auto.
This option takes an integer number as its argument.
The value of <i>number</i> is constrained to being:
<pre>
in the range  0 through 32
<br></pre>
</dl>
<p>
By default, auto modes use a minimum network mask length of 30 bits
to build networks containing clients and servers.  This allows you
to override this value.  Larger values will increase performance but
may provide inaccurate results.
<p><dl compact><dt><b>-M</b> <i>number</i>, <b>--maxmask</b>=<b><i>number</i></b>
<dd>Maximum network mask length in auto mode.
This option may appear up to 1 times.
This option must appear in combination with the following options:
auto.
This option takes an integer number as its argument.
The value of <i>number</i> is constrained to being:
<pre>
in the range  0 through 32
<br></pre>
</dl>
<p>
By default, auto modes use a maximum network mask length of 8 bits
to build networks containing clients and servers.  This allows you
to override this value.  Larger values will decrease performance
and accuracy but will provide greater chance of success.
<p><dl compact><dt><b>-v</b>, <b>--verbose</b>
<dd>Print decoded packets via tcpdump to STDOUT.
This option may appear up to 1 times.
</dl>
<p>

<p><p><dl compact><dt><b>-A</b> <i>string</i>, <b>--decode</b>=<b><i>string</i></b>
<dd>Arguments passed to tcpdump decoder.
This option may appear up to 1 times.
This option must appear in combination with the following options:
verbose.
</dl>
<p>
When enabling verbose mode (<b>-v</b>) you may also specify one or
more additional arguments to pass to <b>tcpdump</b> to modify
the way packets are decoded.  By default, -n and -l are used.
Be sure to quote the arguments so that they are not interpreted
by tcprewrite.  The following arguments are valid:
    [ -aAeNqRStuvxX ]
    [ -E spi@ipaddr algo:secret,... ]
    [ -s snaplen ]
<p><dl compact><dt><b>-V</b>, <b>--version</b>
<dd>Print version information.
</dl>
<p>

<p><p><dl compact><dt><b>-h</b>, <b>--less-help</b>
<dd>Display less usage information and exit.
</dl>
<p>
This option has not been fully documented.
<p><dl compact><dt><b>-H</b>,<b> --help</b>
<dd>Display usage information and exit.
<dt><b>-!</b>,<b> --more-help</b>
<dd>Extended usage information passed thru pager.
<dt><b>-</b> [<i>rcfile</i>],<b> --save-opts</b>[=<i>rcfile</i>]
<dd>Save the option state to <i>rcfile</i>.  The default is the <i>last</i>
configuration file listed in the <b>OPTION PRESETS</b> section, below.
<dt><b>-</b> <i>rcfile</i>,<b> --load-opts</b>=<i>rcfile</i>,<b> --no-load-opts</b>
<dd>Load options from <i>rcfile</i>.
The <i>no-load-opts</i> form will disable the loading
of earlier RC/INI files.  <i>--no-load-opts</i> is handled early,
out of order.
</dl>
</ul><H2>OPTION PRESETS </H2><ul>

Any option that is not marked as <i>not presettable</i> may be preset
by loading values from configuration ("RC" or ".INI") file(s).
The <i>homerc</i> file is "<i>$$/</i>", unless that is a directory.
In that case, the file "<i>.tcppreprc</i>"
is searched for within that directory.

</ul><H2>SEE ALSO </H2><ul>

tcpdump(1), tcprewrite(1), tcpreplay(1)

</ul><H2>AUTHOR </H2><ul>

Copyright 2000-2005 Aaron Turner

<p>For support please use the tcpreplay-users@lists.sourceforge.net mailing list.

<p>
Released under the Free BSD License.

<p>
This manual page was <i>AutoGen</i>-erated from the <b>tcpprep</b>
option definitions.
</ul>
<!--#exec cmd="trailer" -->